Internal Audit Service Draft Internal Audit Plan 2018-19 - Issued by: John Pearsall - Meetings ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Internal Audit Service
Draft Internal Audit Plan 2018-19
Draft Issued by: John Pearsall
(Head of Internal Audit, Risk and Insurance)
Distribution: Audit Committee
Page | 1 Corporate Leadership Team (CLT)
Corporate Governance GroupContents 1. Executive Summary 3 2. Introduction 4 3. Responsibilities and Scope 5 4. Internal Audit Planning Methodology 7 5. Characteristics of the 2018-19 Internal Audit Plan 8 6. Resourcing and Delivery of the Internal Audit Plan 10 7. Proposed Work Programme for 2018-19 12 Appendix A Details of the Proposed Work Programme 14 Appendix B Consultancy and Assurance work for inclusion in 2018/19 Internal Audit Plan 28 Appendix C Audit Categories 29 Page | 2
Executive Summary
1. The development of the 2018/19 Internal Audit Plan has been undertaken against the continuing backdrop of ongoing fundamental
strategic and operational change throughout Stockport Council. As a consequence, the audit planning process has been directed and
governed by the risk environment as it currently stands. There is, however, an appreciation that the control environment, and the
subsequent risk profile, of the Council, will inevitably change over the next financial year. This will inevitable result in a revised Plan that
will need to be further risk assessed throughout the year (as happened in 2017/18).
2. Another fundamental feature of the 2018/19 Audit Plan is the inbuilt flexibility that will allow resources to respond to these changing
demands for assurance work. This flexible approach has worked positively in the past three years by allowing quick and effective targeting
of resources to high risk areas as they arose throughout the year. In addition, the Council will inevitably face considerable risk, control and
governance challenges as key and fundamental projects mature and are embedded in the organisation. This includes the ongoing
integration of health and social care (Stockport Together), reliance and careful control over third party providers (SPA arrangements), the
Digital by Design Phase 2 project, the continuing GM devolution agenda and the business rates retention project. Risk will be further
evident not only in terms of the scale of savings required to be delivered but also the way in which the Council operates. The Audit Plan
will therefore support these challenges by allowing flexibility in reviewing these areas in the form of sub or mini plans. Any changes within
the year will be discussed with the Corporate Leadership Team prior to approval by the Audit Committee.
3. The 2018/19 Plan continues to combine levels of assurance with innovative ways of working. We continue to roll out IDEA software as an
efficient way of testing key system controls using technology, we provide joint assurance work with Trafford and Rochdale Internal Audit
services to deliver six key procurement reviews (two reviews per Council) and externally procure Salford Internal Audit services to deliver
our ICT reviews. This year’s plan also aims to provide further clarity on the activities of three core areas - Internal Audit, Risk Management
and Counter Fraud. A number of audits have a different approach whereby audit resource is directed to support services and any specific
financial gain identified from the pieces of work are shared (Personal Budgets, HB Subsidy Grant and business rates are an example).
Finally the Greater Manchester Devolution Deal presents both opportunities and challenges. The devolution of new powers and budgets
from government to the GM Combined Authority will require a reformed and complex governance model and the way in which GM wide
assurance is delivered in the future will require strategic review and change. As part of this process the Head of Internal Audit, Risk and
Insurance is working closely with colleagues of the nine other members of AGMA to deliver an overall Assurance Strategy that will direct
the delivery of this assurance in a joint and cost effective way. Lastly discussions are also planned with Mersey Internal Audit Agency to
determine the most cost effective way to deliver assurances around the Stockport Together programme. This new widening of assurance
providers demonstrates the way in which Internal Audit is using its limited resources in the most effective way.
Page | 31. Introduction
1.1 This document summarises the results of Internal Audit’s planning work. It sets out the details of the
Responsibilities and scope of Internal Audit;
Internal Audit Planning Methodology;
Characteristics of the 2018-19 Internal Audit Plan;
Resourcing and delivery of the Council’s Internal Audit service;
Proposed programme of work for 2018-19 (the Audit Plan).
1.2 The Audit Plan for 2018-19 has been prepared in accordance with the requirements of the Public Sector Internal Audit Standards
(PSIAS). The PSIAS represent mandatory best practice for all internal audit service providers in the public sector.
1.3 The Council has adopted the PSIAS definition of internal auditing:
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control and governance processes’.
1.4 In accordance with PSIAS, the mission of internal audit is to ‘enhance and protect organisational value by providing risk-based and
objective assurance, advice and insight’. The work of internal audit is a key element in delivering the Council’s strategic priority of
reform and governance, but also supports the Council in achieving all the aims and objectives set out in the Investing in Stockport Plan
2015-2020 and the Stockport Council Annual Plan.
1.5 The PSIAS require that the Internal Audit Service is delivered and developed in accordance with the Internal Audit Charter. The Internal
Audit Charter provides the functional and organisational framework in which Internal Audit operates to best serve Stockport Council and
to meet its professional obligations under the PSIAS. In addition, the PSIAS require the Internal Audit & Risk Manager to prepare an
annual risk-based internal audit plan, which takes into account the requirement to produce an annual internal audit opinion. This opinion
statement is a key contributor to the Annual Governance Statement, which the Chief Executive and the Leader of The Council are
required to sign off alongside the final accounts each year.
Page | 42. Responsibilities and Scope
Responsibilities of internal audit
2.1 The internal audit function is responsible for:
Reviewing and developing the Council’s governance processes. Specifically, this includes:
- Promoting appropriate ethics and values within the Council;
- Supporting effective organisational performance management and accountability;
- Communicating risk and control information to appropriate areas of the organisation;
- Coordinating the activities of, and communicating information among, the Audit Committee, external audit, internal audit
and management.
Evaluating the effectiveness of the Council’s risk management processes and contributing to their improvement;
Assisting in the maintenance and development of an effective control environment by providing robust independent assurance
over its operation.
2.2 In order to fulfil this requirement, Internal Audit is independent of all the activities of the Council. Internal Audit has the right of access to
all information and records held by the Council and may seek explanations on any matters from any officer or Member of the Authority.
Responsibilities of management
2.3 The establishment and maintenance of adequate control systems is the responsibility of management. Recommendations made
by internal audit can reduce risk and improve systems of control. However, the implementation of audit recommendations cannot
eliminate risk entirely.
Responsibilities of the Audit Committee
2.4 In regard to internal audit, the Audit Committee is responsible for:
Page | 5 Approving, but not directing, internal audit’s strategy, plan and monitoring performance;
Reviewing summary internal audit reports and the main issues arising, and seeking assurance that action has been taken where
necessary;
Receiving and considering the Head of Internal Audit’s annual report.
Responsibilities for fraud prevention and detection
2.5 The primary responsibility for the prevention and detection of fraud rests with management. Management’s responsibilities include
creating an environment where fraud is not tolerated, identifying fraud risks, and taking appropriate actions to ensure that controls are in
place to prevent and detect fraud.
2.6 It is not the role or responsibility of internal audit to detect fraud. However, internal audit will evaluate the potential for the occurrence of
fraud in each assignment and how the Council manages the risk of fraud.
Scope of internal audit activities
2.7 The scope of internal audit work includes:
The entire control environment of the Council, comprising financial and non-financial systems;
Reviewing controls that protect the interests of the Council in its dealings with partnerships in which the Council has an
involvement.
2.8 Internal audit may also provide assurance services to parties outside the Council with the prior agreement of Audit Committee
Page | 63. Internal Audit Planning Methodology
3.1 The approach to audit planning for 2018/19 has been a risk based approach in line with the requirements of the PSIAS and has been
prepared following consultation with key stakeholders including senior management to establish the key current and emerging risk areas
faced across the Council. Further consideration has been given to:
priority areas suggested by Senior and Middle Management;
a review of the 2018/19 Council Plan and the Borough Plan;
a review of current strategic, portfolio, project and operational risks, in particular the areas identified within the Corporate Risk
Register;
other existing sources of assurance (eg. external audit, external regulators like Ofsted and the Quality Care Commission and
other “second line of defence” assurance like risk management and compliance functions);
results of previous internal audit work and cumulative audit knowledge and experience;
known changes to the Council’s business, operations, programs, systems and controls;
the requirement to ensure sufficient and wide ranging coverage in order to provide a robust annual audit opinion;
planned work deferred from the 2017-18 Audit Plan that is still considered a priority.
3.2 Potential audit areas have been identified and assessed against the following Risk Categories:
Strategic/business;
Operational;
Financial;
Credit;
Compliance;
Customer Outcome;
Technology.
Page | 74. Characteristics of the 2018-19 Internal Audit Plan
Alignment of the Audit Plan to the Council’s Corporate Priorities
4.1 The Audit Plan is presented in a way that shows how each planned review aligns with the Council’s Corporate Priorities. Clearly a
number of reviews will contribute to more than one priority. For presentational purposes the reviews have been listed under the priority
that is considered most clearly linked to that review area.
Budgeted time allocations
4.2 A budgeted time allocation has been set for each assignment included in the Audit Plan. It is accepted that the exact resource
requirement for each assignment cannot be forecast with certainty. The plan therefore represents the best estimate of the way in which
the Council’s internal audit resources will be deployed. The overall objective is deliver the plan in line with approved Key Performance
Indicators and to provide sufficient overall assurance to support the Annual Head of Internal Audit Opinion Report.
Timing and prioritisation of audit work
4.3 The intention is to complete all planned work within the year. A requirement of the PSIAS standards is that all reviews in the Plan must
be prioritised following assessment. This is highlighted against each review in appendix A and will take account of:
The need to finalise any work from 2017/18 that remains incomplete at year-end;
The need to prioritise the reviews deferred from the 2017/18 Audit Plan;
The views of management of the service areas in regard to the timing of work;
Any other factors that may be relevant to the timing of a particular piece of work (for example, external reviews of services),
Any urgent unplanned work arising;
Changes in the level of audit resources available.
Page | 8Significant interim changes to planned work
4.4 The Audit Plan put before the Audit Committee provides a robust basis for internal audit work, whilst acknowledging and ensuring that
sufficient flexibility is retained to allow us to react to significant changes in the risk environment and to enable assurance to be obtained
over current and emerging risks. In producing the plan, we have taken account of the current economic and financial pressures on the
Council and will continue to ensure that we deliver an efficient and effective service in the future.
4.5 As a result, the Audit Coverage Model (Audit Universe) will be reviewed on a regular basis and this will help to support the future
direction of the Audit Plan by identifying high risk areas that require more immediate independent assurance. All changes and updates
will be reported to the Corporate Leadership Team and the Audit Committee on a regular basis to allow for discussion and challenge on
any proposed changes to the plan. There has been an increased demand for service delivery and transformation work and advice in the
areas of change and the ceasing of services. Therefore a key characteristic of the plan is its flexibility with time being allocated for this
type of work and time also allocated for contingency and consultancy to be applied to emerging risks and to enable the team to react to
client demand.
4.6 Periods of change increase the potential for risks both positive (opportunities) and negative (hazards), for example significant change
provides opportunity for a breakdown in control as well as an opportunity to consider new, more effective and efficient ways of
organising people, systems and processes without impacting adversely on internal control. To reflect this, the plan includes time for
consultancy / advice and guidance and project / systems development in order to support and challenge officers in the establishment
and development of their systems of governance, risk management and internal control.
Page | 95 Resourcing and Delivery of Internal Audit Plan
Resource requirements
5.1 The level of resource required to deliver an effective internal audit service to the Council has been assessed based on the need to
provide adequate audit coverage of the Council’s:
Risk management and governance arrangements;
Front line services;
Support services;
Procurement and contract management activity;
Information management arrangements;
Key financial systems;
Anti-fraud and corruption arrangements;
Schools.
5.2 Account has also been taken of the need to be able to resource:
Unplanned work which may arise during the year;
Follow up work to provide assurance that previously agreed recommendations are implemented;
Provision of advice and consultancy to internal customers.
5.3 The 2018/19 Internal Audit Plan will be managed with a strategic lead and overview from the Head of Internal Audit, Risk and Insurance,
and delivered predominantly by an experienced and suitably qualified in-house team of 4 FTE auditors. Further resource around risk
management, counter fraud, insurance, claims handling and highways inspections is now fully embedded within the wider Internal Audit,
Risk Management and Insurance service. This helps to deliver opportunities of cross utilisation and flexible use of skills between the
teams, as well as provide a source of flexible resource to assist in the delivery of the Audit Plan.
Page | 105.4 A resource calculation has determined the net number of days available to undertake audit work in 2018/19 as 994 days. This is based
on:
30% of Head of Audit, Risk and Insurance resources representing the time spent on strategic audit management;
A current internal audit structure of one CSS Audit Manager (55% of available time and 45% management time), supported by
two full time CSS Senior Officers and one full time CSS Officer;
Further resources available from the Risk Management and Counter Fraud team of one Risk Manager (80% deployed on an
ongoing advisory / consultancy basis on high risk projects), 0.8 FTE CSS Senior Officer (50% deployed on an ongoing advisory /
consultancy basis on Stockport Together and 50% on audits) and one CSS Officer dedicated to counter fraud work.
5.5 The actual days required in the Internal Audit Plan 2018/19 is 1075 days. The total resource was deducted from actual days required in
the Plan and a difference of 81 days is evident.
2017/18 2018/19
Resources available
Total available days 1 1,371 1,464
Less: Non Chargeable time 2 (130) (270)
Less: Consultancy & Assurance work (Appendix B) (220) (200)
Net Days available for SMBC Internal Audit 1021 994
Resources required
Total planned days in the Internal Audit Plan 1,080 1,065
Difference of Resource Available to Resource Required (59) (71)
Note 1: After deduction of annual leave, bank holidays and sickness provision. This now includes time by the Head of Internal Audit, Risk and Insurance in 2018-19, and takes
into account a three month vacancy with respect to the Counter Fraud Officer.
Note 2: Training, administration, team & SMT meetings, external meetings in 2017/18. This has been expanded in 2018-19 to include time spent by the Head of Internal Audit,
Risk and Insurance on audit planning, audit management, and audit committee reporting duties. This time was not included in the 2017/18 Plan.
Page | 116 Proposed Work Programme for 2018-19
6.1 The table below shows the planned days against each corporate outcome. Details are set out in Appendix A.
Corporate Outcome Planned Days
People are able to make positive choices and be independent 165
People who need support get it 250
Stockport benefits from a thriving economy 110
Stockport is a place people want to live 90
Communities in Stockport are safe and resilient 70
Reform and Governance 330
Other Work
Follow-ups 40
Completion of 2017-18 work 10 50
Total Planned Days 1065
6.2 The chart below shows how the total number of days is allocated across the various categories of assurance work to contribute to the
provision of the annual audit opinion. (An explanation of the various categories of assurance work is set out in Appendix C).
6.3 The chart below shows how the total number of days is allocated across the various categories of assurance work to contribute to the
provision of the annual audit opinion.
Page | 12Financial systems Programme /
ICT 6% Project
Compliance 2% 22%
15%
Strategic /
Pro-active anti-
Governance
fraud
review
11%
10%
Contract /
Service Review
Procurement
22%
12%
Page | 13APPENDIX A
1. People are able to make positive choices and be independent
Audit Review Days Risks context Planned coverage Audit Category
Stockport Together 80 The health and social care system in Stockport is Reviews of the arrangements Programme / Project
unsustainable in its current form. If working around specific delivery projects
practices do not change, the financial position is to ensure that the Council is
set to deteriorate so that by 2020/21, if no action delivering the long term financial
is taken there will be a c£154m deficit. savings and has adequate
arrangements to manage risk as
The Stockport Together partners are undertaking
the programme progresses.
a fundamental change in the way health and
social care services are delivered, organised and
commissioned.
Adult social care residential 25 The Borough currently has over 50 private and Review of the arrangements Strategic / Governance
market (including the not-for-profit care homes for older people around market shaping and review
Borough Care project) providing approximately 2000 beds. The Council market capacity activities and
does not own any residential provision for adults. developing a sustainable care
home market within the
The Council is responsible for working in
borough.
partnership with existing and potentially new
providers of adult social care residential homes in
order to develop a sustainable market. There are
a number of issues facing the Council, in
particular risks around the capital costs of building
new residential homes and financial difficulties by
existing providers with resulting home closures.
Care management budgets 25 There continues to be significant financial Review of the arrangements Service Review
and market management pressures within the care management services around the development of
for residential and nursing care and non- measures to improve the
residential services. This is related to the increase efficiency and effectiveness of
in the transfer of clients back into the community the service and the market
from Delayed Transfers of Care (DTOC) out of whilst maintaining financial
hospital. resilience.
Homecare 15 Demand for home care is currently exceeding Review of the commissioning Procurement / Contract
supply in the market with waiting lists for arrangements for Homecare to
Page | 14APPENDIX A
Audit Review Days Risks context Planned coverage Audit Category
packages of care growing faster than additional ensure value for money is
capacity is being identified. A key priority for achieved.
2018/19 is the recommission of reformation of
homecare and this model of provision will be
integrated into neighbourhood care.
Personal Budgets – Direct 20 Nationally, there has been a rise in the number of A new approach by Internal Pro-active anti-fraud
Payments fraud cases identified in adult social care, Audit will seek to undertake
particularly around where direct payments were substantive audit testing of
not being used to pay for the care of the individual direct payment cases.
vulnerable adult. In addition, the value of the loss
has started to increase.
Total 165
Page | 15APPENDIX A
2. People who need support get it
Audit Review Days Risks context Planned Coverage Audit Category
Programme /
Stockport Family 10 The forecast outturn for Children and Family Risk advice, ongoing consultancy
Project
services is a large deficit of £4m by March 2018. support.
A financial recovery plan is in place.
Service review
Adult safeguarding investigation 20 The safeguarding investigation process is key to A review is of how safeguarding
procedures the safeguarding of adults. It is important that investigations are undertaken, how
the investigation process is robust and ensures the decision making process is
appropriate sound, professional, evidence- quality assured and the
based decisions on the protection of individuals independence of case conferences
and others are made. will be undertaken. In particular it will
examine the conversion rates
between safeguarding referrals,
Section 42 investigations and case
conferences.
Regional Adoption Agency – 20 Adoption Counts is a new collaborative A review of the performance and Service Review
Adoption Counts partnership agency established in July 2017 and financial management arrangements
is hosted by the Council. New partnership over the new agency will be
working arrangements and financial undertaken to ensure that risks to
arrangements are in force. achieving its objectives are
effectively mitigated.
Looked after children (LAC) – 20 Further increases to numbers of LAC resulting in A review of the process to place Service review
funding, external placements further financial pressures in respect of external LAC, in particular, market
and market management placements, difficulties in sourcing placements management, placement searches,
and difficulties in agreeing responsibility for commissioning and process for
funding. This is a key element to be controlled agreeing weekly rates, and approval
as part of the Stockport Family Recovery Plan. of funding.
Foster care payments (internal) 20 The foster care payments system is now under A review of the payments process, Service review /
new management and there are risks around including expenses and additional Compliance / Pro-
ensuring accuracy, timeliness and completeness payments to ensure procedures are active anti-fraud
of payments to foster carers. robust and mitigate risks.
Page | 16APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
Dial Park Children Home 10 The children home is well established and is A review of the governance and Service Review /
timely for an overview of the arrangements to financial arrangements at the Compliance
ensure risks over inappropriate payments are establishment will be undertaken with
being mitigated. This will inform arrangements a view to providing assurance on the
for the new children home that has recently adequacy of the arrangements and
opened. compliance with financial regulations.
Recharges to CCG for joint care 20 The Council and the CCG have agreed joint A review of the approval and financial Service Review
of clients funding for certain adults, particularly those in procedures around recharging of
receipt of continuing health care and S117 costs in relation to agreed joint care
aftercare. The process for approval of joint care of service users.
and the financial procedures for recharges are
not robust as it should be.
Troubled Families (TF) 15 This is a national initiative in an effort to reduce As the result of new arrangements, Service Review
the number of families that were defined as the audit approach has changed from
having or causing problems to the community 2018. We will focus on the
around them. Such families were also seen to verification of the quality assurance
place high costs on the public sector. and decision making processes
around case management.
Internal audit involvement in the first phase of
the Troubled Families Programme was
predominantly data-focused focusing on
payments by results. Within the context of
devolution, a new agreement has been reached
and approval for GM authorities to have their
own financial framework. As part of this the GM
has agreed a TF Outcomes Plan which sets out
the targets and metrics that the programme will
strive towards and ultimately be measured
against.
It is a requirement for Internal Audit to verify the
outcomes.
Page | 17APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
School admissions 15 Schools admission is a high profile area and A review of the school admissions Service Review &
with demand for school places increasing at process will be undertaken with a Proactive anti-fraud
specific schools in the borough, it is important focus on proactive anti-fraud review
that procedures are robust and detect fraudulent measures.
applications.
Schools and a Pupil Referral 100 The Council has nearly 100 schools that are A standard audit programme has Compliance
Unit (PRU) responsible for setting their own budgets and been developed for school audits,
managing their finances. The frequency of which is tailored to each school as
school audit visits is determined by a risk required.
assessment based on audit assurance ratings,
25 schools will be visited in the year,
change in Headteacher and business manager,
including the Highfields Inclusive
financial position and any known governance
Partnership.
issues.
Total 250
Page | 18APPENDIX A
3. Stockport benefits from a thriving economy
Audit Review Days Risks context Planned Coverage Audit Category
Stockport Exchange – Phase 3 15 Stockport Exchange is a major regeneration We will continue to attend the Programme / Project
scheme and represents substantial investment established Project Board
by the Council to help encourage economic meetings to ensure key risks are
growth. discussed and managed.
The project due to its speculative nature and
significant borrowings comes with high risks.
Redevelopment of Merseyway 15 The redevelopment of Merseyway represents We will continue to attend the Programme / Project
a substantial investment by the Council to help established Project Board
encourage economic growth and to improve meetings to ensure key risks are
the quality of life for residents. discussed and managed.
Development schemes can often have
complex funding arrangements and frequently
involve working with partner organisations.
Markets and Underbanks 10 A significant investment programme is We will continue to attend the Programme / Project
underway to revitalise the markets and established Project Board
underbanks area. There are a large number of meetings to ensure key risks are
projects underway, which makes it important discussed and managed.
that adequate programme and project
arrangements are in place to ensure
successful delivery.
Review of income and lettings 20 Merseyway, Red Rock and Aurora are new We will review the arrangements Service Review
risks at Merseyway. Aurora and and significant assets to the Council and there over lettings and collection of
Red Rock are risks around ensuring units are let and income.
income is maximised.
Town Centre Access Plan 15 The TCAP represents a substantial capital We will review the arrangements Programme / Project
(TCAP) programme with significant funding from the to ensure the Council protects its
Local Growth Fund, and involves partnership interests and manage risks to the
capital programme.
Page | 19APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
working with Transport for Greater
Manchester.
Governance arrangements over 20 There is a significant level of regeneration We will examine the strategic and Strategic /
highways improvement works, works and highways improvement works within governance arrangements the Governance
public realm and town centre the Town Centre that are managed by different Council has in place over the
management and regeneration services within Place. These poses risks that Town Centre to ensure risks to
these arrangements are not maximised to the regeneration programme and
achieve the outcomes desired. the highways improvement works
are minimised.
Governance arrangements over 15 The Council has established a wholly owned The audit will examine the Strategic /
Stockport Hotel Management subsidiary company to run the hotel (through a governance and financial Governance
company contract with Interstate Ltd). It is an innovative arrangements that the Council
new income stream for the Council. has in place over the hotel
company.
Total 110
Page | 20APPENDIX A
4. Stockport is a place people want to live
Audit Review Days Risks context Planned Coverage Audit Category
SEMMMs 15 This is a significant capital programme, in the We will continue to attend the Programme / Project
region of £230million. Further proposals are in established Project Board meetings to
place for new additional road schemes as part ensure key risks are discussed and
of the SEMMMs strategy. managed.
Highways reactive maintenance 20 The Council performance in defending against We will undertake a review of the Service Review
– repairs defects categories highways claims has been poor in the past. arrangements against the new repairs
Significant work has been undertaken to defects categories to ensure repudiation
review the repairs defects categories to rates are improved.
improve the repudiation rates.
Public Realm – client side 20 As part of the austerity programme, the A review of the new SLA arrangements Contract /
monitoring of Solutions SK Council has reduced its payments to SSK. This between Public Realm and the Council Procurement
(SSK) presents risks to the delivery of the service to to ensure key risks around delivery of
members of the public. services are mitigated.
Housing strategy – Affordable 20 In line with national trends, Stockport faces a We will undertake a review of the Service Review and
housing delivery / Viaduct housing crisis. A strategy is in place to develop oversight and performance management Contract /
Housing Partnership affordable housing and there are risks to the arrangements of the delivery of the Procurement
achievement of this housing delivery affordable housing programme including
programme. the new Viaduct Housing Partnership.
Highways Code of Practice 15 The Highways Code of Practice recently We will undertake a review of the risk Service review
issued in 2016 has changed the focus from based approach undertaken by the
reliance on specific guidance and Council to implement the key provisions
recommendations in previous codes to a risk- of the code of practice. As part of this
based approach determined by the local review, we will review the Council’s
authority. processes for approving the new
arrangements.
Total 90
Page | 21APPENDIX A
5. Communities in Stockport are safe and resilient
Audit Review Days Risks context Planned Coverage Audit Category
Community Safety 20 Following the 2016 restructure of community Review of the strategic and operational Strategic /
safety, the operational functions are now arrangements within the Council with Governance
managed primarily within the People and Place respect to its links to the Community
directorates, whilst the strategic functions Safety partnership and strategic
relating to the Council’s statutory priorities.
responsibilities are governed through the Safer
Stockport Partnership.
There is a risk that the strategic and
operational arrangements are not aligned with
each other.
Taxi licensing computer system 10 The service has recently implemented a new We will continue to use IDEA to ICT / Service review
– data quality checks case management system. This has been compare the information between the
problematic with significant errors in the Civica APP system to the new IDOX
information migrated from the Civica APP management system to support the
system to the new IDOX management system. service to improve the data quality of the
new system.
Community Investment Fund 10 This is a new community initiative and involves Consultancy and risk advice will Programme / Project
new financial processes. be provided in the beginning of
(Two phase review)
the year as the new arrangements
are developed.
15 In the last quarter of the year, the Service Review
audit will examine the new
financial arrangements over the
administration of the Community
Investment Fund.
CCTV / Control / Patrol 15 There are a number of risks around the In the latter part of the year, we will Service review and
arrangements provision of this service provided by Solutions undertake a review to provide assurance Contract /
SK, in particular around the level of service Procurement
Page | 22APPENDIX A
required, management arrangements of the that adequate controls have been put in
service and clarity over the costs. place to mitigate the risks.
A process improvement service is currently
being undertaken.
Total 70
Page | 23APPENDIX A
6. Reform and Governance
Audit Review Days Risks context Planned Coverage Audit Category
Supplier / Partnership working 10 Following the administration of Carillion, the Ongoing consultancy support / risk Programme / Project
Council’s property services provider, the risks advice with the current Property
around ongoing delivery of property services, Services provider
in particular via the supply chain has
increased significantly.
Supplier / Partnership working 20 Following the administration of Carillion, the Strategic review of controls around Contract /
Council’s property services provider, the risks supplier and third party risk Procurement / Service
around ongoing delivery of property services, arrangements. Review
in particular via the supply chain has
increased significantly.
Digital by Design – Phase 2 10 This is a significant capital programme Reviews of the arrangements around ICT / Programme /
designed to create new platform and data specific delivery projects to ensure that Project
warehouse to enable future service and the Council has adequate arrangements
transactional level interfaces. to protect its interests and manage risks
as the digital solutions are implemented
There are inherent risks around programme
and rolled out
management, in particular ensuring costs are
well managed and anticipated benefits are
achievable.
Implementation of General Data 5 The new GDPRs come into force this May Ongoing advice and consultancy Programme / Project
Protection Regulations (GDPR) 2018 which replace the Data Protection Act support with the Project Team
/ Information governance 1998. The GDPR goes beyond the current
programme management requirements of the Data Protection Act, and
arrangements the Council need to ensure that the way they
collect, process and store personal data and
information will comply with the new
regulations. Penalties for non-compliance is
significant.
Page | 24APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
Compliance with GDPR 20 The new GDPRs come into force this May A review of the effectiveness of the Compliance
2018 and the penalties for non-compliance is arrangements to comply with the
significant. provisions of the GDPR.
Traded Services / Income 10 A number of services across the Council have Review of the arrangements around Programme / Project
Generation income targets, which combined, amounts to developing the traded services offer and
£560,000, where they seek to either achieve generate income to ensure income
full cost recovery for existing arrangements or targets are achieved.
to generate income in new arrangements.
This is a challenging task for many services,
and there is a risk that these income targets
may not be achieved.
Business Continuity – Service 10 It is a statutory duty under the Civil We will undertake a review of the Service Review
level Contingencies Act 2004 for local authorities to Council’s service business continuity
develop business continuity plans for all of the plans to ensure that arrangements for
functions they provide. resilient networks, services and
business critical information are in
At a time when changing social, political and
place, in the event of threats or disaster.
economic situations are forcing local
authorities to be more innovative, the risks
around continuing resilience has increased.
IR35 10 From April 2017 important changes to the tax We will undertake a review to ensure Compliance
legislation dramatically affects how public that adequate and effective controls are
sector organisations procure resources and in place to minimise business risk to the
professional services. There is a risk that there Council with respect to the IR35
is a lack of decision making or effective legislation and to provide assurance
decision process over the assessment of that all the requirements of the HMRC
existing and new contractual arrangements changes have been implemented.
with potential IR35 applicable workers and new
suppliers. This could lead to fines being levied
against the Council.
Page | 25APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
Implementation of social care 15 The Services to People directorate has We will review the arrangements to ICT and Programme /
case management system recently procured a joint case management implement the new case management Project
system from Liquid Logic. system to ensure that the key risks are
effectively mitigated.
A fundamental review of the business
processes are being undertaken both within
Children and Adult Social Care prior to the
implementation of the Liquid Logic system.
There are significant risks around the
implementation of the new system given the
wide ranging of information requirements
across a vast range of complex services.
Service Planning and 10 Public sector austerity is unlikely to change in Consultancy and risk advice will be Programme/Project
Performance management the medium term, and the Council need to provided in the beginning of the year as
arrangements keep a focus on their budget and delivering the new improved arrangements are
more savings and efficiencies through to 2021. developed by the Policy and
(Two phase review)
Performance service.
The pressures remain as demand is rising Strategic /
across the Council for all their services with In the last quarter of the year, a review Governance
20 rising inflationary costs and reducing support of service planning, financial and
from the Government. performance management
arrangements will be undertaken in the
Linked to this is a greater focus on service
three directorates.
planning and performance management, so
that the Council can respond quickly to any We will report our findings to the
areas that are struggling and put in place the relevant directorate Senior Management
right support. Team.
Business Rates collection 15 From April 2017, 100% retention of business We will undertake a review of the Financial system
rates is being piloted across the Greater arrangements to identify all business
Manchester region. This consequently rates liabilities and utilise IDEA as part
increases the importance to the Council of of this review.
maximising the collection of business rates.
Key financial systems (Debtors, 30 These systems provide material disclosures High level reviews evaluating and Financial systems
Creditors, Payroll, Treasury for the financial statements. testing the effectiveness of the key
Management) controls within each financial system
Page | 26APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
Cybersecurity (as this audit is 0 Media reports of organisations that have fallen Salford Computer Audit Services will ICT
undertaken by Salford Audit victim to a cyber-attack are increasingly undertake this audit. The audit will
Services there are no allocated widespread. Incidents may include loss of examine the steps that the Council has
days required here) customer data, financial loss or denial of taken to identify its cyber-risk exposures
service. The consequences of such events and to protect the various information
can lead to fines, service disruption and assets that could be affected by a
reputational loss. cyber-attack (such as hardware,
systems, data etc.).
Increased use of technology and openness to
the internet makes the Council increasingly at
risk of cyber-attack
Cybersecurity Contingency 10 The review will also cover arrangements Service review
Arrangements for contingency planning in the event of
a cyber-attack.
Subject access rights (SAR) 15 The introduction of GDPR brings some We will undertake a review of the Service review
and Freedom of Information changes to the processes for dealing with arrangements to process SAR/FOI
(FOI) subject access rights and freedom of requests
information requests.
Housing Benefits including 15 Housing Benefits is a complex system and We will undertake a review of the Financial system
subsidy claim vulnerable to fraud and errors, and in Housing Benefit system and the
particular the benefits subsidy claim remains a arrangements for producing the subsidy
risk. The DWP expect zero errors and the claim. We will also used IDEA software
impact of any subsidy qualification is to review the adequacy of reports via
potentially very large. the Civica system.
National Fraud Initiative 30 NFI matches data across organisations and Co-ordination and investigation of the Pro-active anti-fraud
systems to help public bodies identify data matches identified from the
anomalies which may signify fraudulent claims exercise.
and transactions. The Council is required by
law to participate in NFI.
Page | 27APPENDIX A
Audit Review Days Risks context Planned Coverage Audit Category
Corporate credit cards 15 The use of corporate credit cards is a high risk We will undertake a review of the Pro-active anti-fraud
area vulnerable to fraudulent activities. controls over using corporate credit
cards, authorisation of payments and
reconciliation. As part of our work, we
may utilise IDEA.
Data matching of benefit 15 The current processes do not allow for We will use IDEA to undertake data Pro-active anti-fraud
payment records between appropriate data sharing arrangements, and matching of benefit payment records to
Housing & Council Tax, Section therefore there is a risk of duplicate payments identify any duplicate payments
17 and Stockport Local or payments being made which the service
Assistance Scheme user is not entitled to.
STAR Procurement – 15 TBC TBC Contract /
performance management Procurement
arrangements
STAR Procurement – topic to 15 TBC TBC Contract /
be determined Procurement
Certification work 15 Every year the Council receives grant funding Annual review of key grants received to Compliance
for specific initiatives confirm expenditure is in line with grant
terms and conditions.
This will also involve the annual review
It is a requirement that the Head of Internal
of charitable accounts to confirm
Audit signs a declaration to confirm that the
income and expenditure presents a true
conditions of funding have been complied
& fair view.
with.
Total 330
Page | 28APPENDIX B
Consultancy and Assurance work for Inclusion in 2018/19 Internal Audit Plan
Review Description Days
Continuous auditing / monitoring Provision for further rollout of model on key areas and design of key reports. Review of results in 50
partnership with relevant departments
Consultancy / advisory Consultancy resulting from requests for ad hoc advice on risk and control matters 25
Project Development Advisory work in response to management requests for risk and control advice during key project 25
implementation or system redesign (this relates to requests from services outside of the Investing in
Stockport Programme of Growth and Stockport Together)
Management reviews / investigations Undertaking unplanned reviews or investigations as matters arise during the year or as directed by 40
the Fraud & Irregularities Panel
External Work Provision of Internal Audit services to SSK 60
Total consultancy and assurance
200
work
Page | 29APPENDIX C
Audit Categories
Category Description
GM assurance A programme of reviews which involves joint working with Greater Manchester Internal Audit teams
Strategic/corporate governance A programme of reviews identified to be the highest risk to the Council’s current objectives, strategic in nature and
is cross cutting across several services within the Council.
Programme and Project audit Reviews on specific programmes and projects considered to be the highest risk to the Council’s current objectives
Service reviews A programme of reviews identified to be high risk but impacts on one service within the Council.
Financial systems audit A programme of financial system reviews considered high risk
Contract / procurement audit Reviews on specific procurement activities and contracts considered high risk.
ICT / Computer audit Commissioned audit reviews of a technical nature from Salford Computer Audit Services. Combined with reviews
to be delivered in-house.
Pro-active anti-fraud A programme of proactive anti-fraud reviews, risk assessed for the potential of fraud (including the National Fraud
Initiative)
School audits A programme of school visits identified as highest risk taking into account any key changes in personnel, systems
and finances.
Compliance audit A programme of reviews identified as highest risk
Continuous Auditing/Monitoring A resource dedicated to the review and support of continuous auditing/monitoring.
Consultancy, project support and advice On-going consultancy work provided at the request of management and other stakeholders.
Certification work Independent verification work required by grant funding bodies and legislation.
Investigations Ad hoc Investigations into suspected fraud and irregularities.
Page | 30You can also read
